[Snort-users] Question about stream4
hendo at ...3663...
Fri Nov 19 06:07:26 EST 2004
My company has a mainframe and it is always terminating connections in a
way that trips snorts stream4 preprocessor.
It always either sets the PSH Flag with RST or even the ACK PSH RST.
This causes a stream4 stealth activity alert.
I want to keep monitoring the mainframe, so a filter is not suitable.
I wish stream4 had some configurability to ignore that flag combo from
that particular address.
More information about the Snort-users